CCC quality repair and market development Vice President on Tuesday confirmed the company wasn’t sharing collision repairers’ data with CARFAX and offered ways to shut down whoever was.

“We don’t share data with CARFAX, never have shared data with CARFAX, have no intention of sharing data with CARFAX,” Risley told the Collision Industry Conference. He said he’s “gotten this” weekly for the past year and a half. (Risley started with CCC in summer 2018.)

A slide shown to the conference also declared, “CCC does not and has not ever shared data with CARFAX.”

In the past, such incidents have been “one-off” and infrequent, but lately, the concerns and questions from SCRS members seem to have come in at a “very increasing pace,” he told an SCRS open board meeting in the summer. The volume suggests it’s no longer an anomalous issue, according to Schulenburg.

Risley said CCC — which historically has held the bulk of the estimating software market share — has protected data “for a long time.” He said the rumor he’s heard from the industry since joining CCC was that the company had the ability to do whatever it wanted with data and share information with whoever it wanted.

He said CCC’s data policy intentionally limited what it could do without obtaining additional repairer consent.

Risley shared a slide describing what he called the licensing terms in place for a while.

According to the slide, CCC used data “in the programs for repairers to manage estimates and repairs”; “to provide reporting back” to repairers; “deidentified and used in the aggregate” to inform the industry, such as the statistics seen in “Crash Course”; and “internally for trend analysis, research and development, and to make improvements to the products.”

The aggregated data meant nothing claim-specific, according to Risley.

Any deviation from this would be submitted to the repairer for approval, Risley said.

“We are absolutely restricting ourselves,” Risley said.

Risley suggested one source of data leaks could be the EMS estimate files sitting unencrypted on a repairer’s computers.

“It’s not encrypted,” he said. Any vendor data pumps were sucking up the entire estimate file, he said.

It’s possible that over the years a shop has installed a data pump for a vendor they no longer use, including during a software demo. Data could be going out to parties without the repairer realizing it. Or perhaps a vendor you’re not using on that particular estimate.

Another option is to use CCC’s Secure Share option for transmitting the more modern BMS file framework and configuring who could access what. 24 vendors are currently available there, and CCC encrypts the data being communicated.

BMS would continue to be free, he said. CCC will continue to support EMS and BMS, he said.

Finally, Risley also pointed out how a repairer could customize both who could receive data through UpdatePlus and how much of was shared with those individual parties.

‘Golden Rules’

Terlep said the CIC committee also sought to help shops better control data and outlined a series of plans to be incorporated into a tutorial.

He said one key element would involve educating shops how to determine who is accessing data and how to request and determine what data is being collected by another party.

Terlep said the committee also wanted to create a map of data sharing entities — who does each company receiving repairers’ information share data with?

“That’s a pretty big project,” Terlep said.

The committee also has developed what it feels are “golden rules” related to data use, sharing, security.

According to what Terlep called a first draft, these would include:

1. Never use data against your customers/end users, but rather in their service.

2. Provide clarity and education on what kinds of data are to be used, why and how (e.g., anonymous vs. personalized), with a simple experience in the “terms and conditions” acceptance.

3. Do not misuse and do not allow potential third parties to misuse data, aggressively promote data security and respect of privacy, and be clear on “legal aspects.”

4. Give customers/end users the choice of what to share and what not to share and for which purposes (i.e., customers need to be in control of their own data); periodically remind customers that they can revise the parameters of data sharing.